Path traversal in rclone - CVE-2026-59733
Published: July 9, 2026
rclone
Detailed vulnerability description
The vulnerability allows a remote user to read, overwrite, and delete other users' repositories.
The vulnerability exists due to path traversal in the rclone serve restic private repository path handling when processing crafted URL paths containing ".." segments. A remote user can send a specially crafted HTTP request to read, overwrite, and delete other users' repositories.
Exploitation requires valid HTTP Basic credentials for the attacker's own private repository, the server must be running with serve restic --private-repos, and impact depends on a backend that resolves object paths with POSIX-style path cleaning semantics.